Two questions (cookies & username lockout)

[mbrown]

How can I set it up that if within 15-20 they are not active it logs them out?

 

How hard would it be and if someone could explain it in a little more detail than expertsexchange how to do if you fail to log in with a certain username.

 

if someone tries to log in and fails 3 times with the username mbrown i would want that account locked for like 15-30 minutes.

 

thanks

[gevans]

If you're using sessions they use session.gc_maxlifetime for the maximum life time.

 

So usually after 1440 (usually) seconds or 24 minutes they will get logged out. This is set in your php.ini and can be changed.

 

As for only giving a user 3 attempts, I would use a session to make it easy. Use a session to store the username and the number of failed login attempts. If the number hits 3 store that information in a database with the current time.

 

Then everytime someone attempts to login check wether they've been locked out within the last 30 minutes.

[PFMaBiSmAd]

Stoting the bad attempt count in a session would allow unlimited attempts because a person or a bot script could get as many new sessions as they wanted. The bad attempt count must be maintained in the database.

[gevans]

Once a user or bot is on a site, they will maintain the same session while attempting to login, then when the third attempt is hit you can log the data in a database

[mbrown]

Stoting the bad attempt count in a session would allow unlimited attempts because a person or a bot script could get as many new sessions as they wanted. The bad attempt count must be maintained in the database.

 

how would you suggest to do that. could you give me a small code snippet about that?